Modern computing systems provide various methods for user authentication. A common authentication technique only has a password requirement: The user enters his or her user identifier, and then a secret password that only the user knows. This is referred to as single-factor authentication, since it only relies on what the user knows. More secure authentication regimes, such as multiple-factor authentication, require, in addition to what the user knows, verification of what the user is or does (e.g., fingerprint or retinal scan) or verification of something the user has, e.g., a token or smart card.
Smart cards provide a way to authenticate a user that is different than normal password authentication. With smart card authentication, a user inserts a smart card into a smart card reader and enters a personal identification number (PIN). When a correct PIN is entered, one or more certificates that are on stored in the smart card are used to authenticate the user. This type of authentication provides two-factor authentication by verifying both what they have on them (the smart card and the certificates stored therein) and what they know (the smart card PIN).
In computing systems that permit remote user sessions, a user may be authenticated multiple times before the user is granted access to a remote user session, and may need to enter his or her credentials each time. For example, in computing systems that permit users to access their desktops remotely using local client devices, the user enters his or her credentials to be authenticated by his or her local client device, and then enters another set of credentials to be authenticated by the machine that is hosting the user's desktop. In some configurations, a connection broker may be disposed between the local client device and the machine that is hosting the user's desktop, requiring the user to enter yet another set of credentials to be authenticated by the connection broker.
In view of the inconvenience of repeatedly entering user credentials for access to different services, an authentication protocol known as Kerberos is adopted in certain conventional systems. In such systems, initial sign-on prompts the user for his or her credentials. Using these credentials, a Kerberos ticket-granting ticket is generated. For each of the services required for access, a service ticket, which includes the user's identity, is generated from the Kerberos ticket-granting ticket. When accessing the service, the user simply presents the service ticket to the service instead of re-entering his or her user credentials. This technique, however, is inadequate to authenticate the user for a remote desktop session, because the ticket only confirms the user's identity. Upon being granted access to the machine hosting the remote desktop session, the user has to enter his or her password to get signed onto the remote desktop session.